[foaf-protocols] WebID distilled - was: PEM certificate- was cert:public_key

Jiří Procházka ojirio at gmail.com
Wed Oct 6 21:29:53 CEST 2010


On 10/06/2010 09:19 PM, Dave Longley wrote:
> On 10/06/2010 02:49 PM, Jiří Procházka wrote:
>> Following todays #swig irc discussion about this [1], I would like to
>> propose even more simplifying WebID - along with removing the
>> requirement of RDF parsing, remove the requirement of content
>> negotiation.
>> How to achieve this?
>>
>> The most recent proposal was effectively to have the PEM file and the
>> profile document share an URI.
>> Instead of this I suggest adding not 1 but 2 additional pieces of
>> information to the certificate:
>> 1) the WebID profile document URI
>> 2) a WebID certificate URI
>>    
> 
> My only issue with this is that there needs to be a mechanism that
> ensures that the owner of #2 is also the owner of #1. Otherwise, you can
> specify a self-signed certificate with a PEM sitting at a URL that you
> own and a profile sitting at a URL that you don't. If the authenticating
> service identifies you according to that profile, then forgery would be
> quite easy.

That is correct if the server application needs to do some actions
requiring the user be the one "owning" the profile, which is what most
of the interesting applications of WebID would require.

Ok, back to square 1...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20101006/740715e8/attachment.pgp 


More information about the foaf-protocols mailing list